[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Thoughts on external access to Intranet server -Reply
Luc, That's one option. What makes it harder is that on one side, I have close to 1000 internall users who will be using one aspect, and at least 17 external companies using another. I simply can't give each person a card. As well, this is good for authentication, but what I need is a more secure access to the data, not just the authentication. Thanks tho. Mike > -----Original Message----- > From: Luc Terryn [SMTP:[email protected]] > Sent: ä ðåáîáø 23 2000 15:37 > To: [email protected] > Subject: [FW1] Thoughts on external access to Intranet server -Reply > > Hi Mike, > > My suggestion would be to at least use as strong authentication like > Secure ID, Vasco, Activecard. > I am used to Vasco which can implement tripleDES and also has some way to > use an optical challenge to ease the authentication process. > I would not use secureID because it is a one time password less secure > than time based challenge-response. > > If the data itself is sensitive encryption could be added with the same > kind of authentication. > > If you like directories Activecard has an integration within Novell NDS > and there is a possible LDAP/Radius dialog possible. > I know some such implementation also. > > If the data itself is really sensitive then you may combine this with > Securemote. > This is working fine but I suppose you will quickly be securemote > specialist because it drives a lot of support calls. > Pay also attention that Securemote works not well or not at all if the > client has hide translation. > > I hope this helps. > > Regards > > Luc Terryn > > Belgocontrol > Belgian Air Traffic Control > > > > >>> Mike Glassman - Admin <[email protected]> 11/23/00 11:41am >>> > > All, > > The folks here have decided that an Intranet server will be a good thing > (finally). > > The issue is, that they also want access to this server from outside, > which > in itself is not an issue too much. Where it becomes a bit more sticky, is > that they wish to allow externall companies access to specific issues on > this server, and via them, to other servers in our network (NT, Netware, > Unix, AS400 and so on). As well, they want access for users of ours from > outside inside with once again, the ability to access and change data on > internall servers. > > Now I could simply allow http access via the firewall with authentication > on > both the FW and the Intranet server, but that's about as secure as leaving > 100$'s laying around on the floor for all to see and go for. > > My current setup is as follows : > > Internet > | > Router (double with BGP4 to two ISP's) > | > FireWall----DMZ (there's more, but this is all that matters right now) > | > Local Network (servers and users) > > I was thinking that perhaps an additional machine or machines on the DMZ, > setup as reverse proxies, or perhaps HTTP routering servers, which would > get > the externall requests and only this server (or servers) would then be > allowed to forward and receive data to and from the internall Intranter > server. > > Again, the logic is in there, but I'd really appreciate some direct help > on > how to best set this up. > > I can't add a second FireWall, and the routers on the Internet side are > Bay > (so not easy to setup access lists) and already run BGP4 so I'd rather not > add anything more to them which may cause them to falter in any way. > > Ideas and thoughts are welcomed. > > Please also forward a copy to my email address direct as well as to the > group if you can of any thoughts you may have. > > Thanks Ahead, > > Mike Glassman > System & Security Admin > Israeli Airports Authority > Ben-Gurion Airport > http://www.ben-gurion-airport.co.il > > Tel : 972-3-9710785 > Fax : 972-3-9710939 > Email : [email protected] > > Usage of this email address or any email address at iaa.gov.il for the > purpose of sales pitches, SPAM or any other such unwanted garbage, is > illegal, and any person, whether corporate or alone doing so, will be > prosecuted to the fullest possible extent. > > > > > > > ========================================================================== > ====== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > ====== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|